Re: PROPOSAL for periodic/security/800.loginfail

From: Garance A Drosehn <gad_at_FreeBSD.org> Date: Sun, 19 Mar 2006 08:59:59 -0500 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC

At 8:28 AM -0500 3/19/06, Garance A Drosehn wrote:
>
>So... five cans of Jolt Blue later, I have a new version
>of the script available at:
>http://people.freebsd.org/~gad/filters/loginfail-V2.nawk

Disclaimer:  This script is in fine shape for anyone who
wants to test it by running a bunch of their own authlog
records through it.  I would not suggest using it for the
daily security-check though!

The comments in the script might be out-of-sync with the
code.  I'm making it available just because I'm taking a
break for awhile, and I thought this was good enough to
show it off.  But I still have more code-rearranging that
I plan to do, so don't spend time writing any updates to
this specific snapshot.  Let me know if it should be
doing something else, of course, just don't spend time
writing an update to do that.

I haven't written changes to 800.loginfail yet.  For the
initial testing, I was guessing I'd add the script to a
new directory:   /etc/periodic/helpers
and then change the script to do something along the
lines of:

case "$daily_status_security_loginfail_enable" in
     [Yy][Ee][Ss])
         echo ""
         echo "${host} login failures:"
         n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
             tee /dev/stderr | wc -l)
         [ $n -gt 0 ] && rc=1 || rc=0;;
     [Tt][Ee][Ss][Tt])
         echo ""
         echo "${host} login failures:"
         n=$(catmsgs | egrep -ia "^$yesterday.*" | \
             "${daily_status_security_loginfail_script}" 
${daily_status_security_loginfail_flags} |\
             tee /dev/stderr | wc -l)
         [ $n -gt 0 ] && rc=1 || rc=0;;
     *)  rc=0;;
esac

And then have the following two variables added
to /etc/defaults/periodic.conf :

daily_status_security_loginfail_script="/etc/periodic/helpers/loginfail.nawk"
daily_status_security_loginfail_flags="sum_sshd_baduserids=5"

...but I have zero experience with any of the periodic
scripts, so that is just me guessing at the right things
to do.  If there's a committer who would want to handle
the changes to those files, I would be very happy to let
anyone else that part.  Just let me know where to put the
script once I'm ready to let people test it.

-- 
Garance Alistair Drosehn     =      gad_at_gilead.netel.rpi.edu
Senior Systems Programmer               or   gad_at_FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA